Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

Victims Lose Access to Thousands of Photos as Instagram Hack Spreads

In a probable quest to build a botnet, someone is hacking Instagram accounts, deleting handles, avatars and personal details, and linking them to a new email address.

An Instagram hack is spreading across the internet, with increasing numbers of victims finding their accounts hijacked and personal details altered — and account recovery so far impossible.

Starting in the beginning of the month, people started experiencing random log-outs on their accounts; from there, their handles, avatars and personal details like their bios have been deleted. On top of that, the accounts are linked to a new email address, thus subverting the account recovery process.

Oddly, prior, legitimate posts haven’t been deleted, nor have new posts appeared on the hijacked accounts’ timelines. This has led at least one security researcher to speculate that the malefactor is on a quest to build a botnet.

“Although no one seems to know for sure, I assume the hacked accounts were intended to be used as spambots,” said Paul Bischoff, privacy advocate at Comparitech.com, via email. “Even if some victims regain control of their accounts, many of those affected have likely quit the platform or just won’t go through the trouble, adding soldiers to the spambot army.”

The threat actor remains unknown; while the newly linked email address is a .ru Russian domain, that could be a red herring meant to point attribution away from the true perpetrator.

“Having a hacked account associated with a Russian email address may well signify that the attacker is a resident of that country, but it is certainly not a foregone conclusion – email addresses are easily spoofed, either to conceal identity or to encourage finger pointing toward the wrong place,” said Lee Munson, security researcher at Comparitech.com, in an email.

The situation, first reported by Mashable, seems to be worsening, with hundreds of complaints flooding the photo-sharing site’s Twitter feed, and many comments filtering into Reddit.

Many complain that they are getting no response from Instagram when they ask for help in gaining control of their accounts.

“@instagram this is the 6th time I’ve reached out and no response… my account has been hacked and I need it recovered!!,” said one disgruntled user, @brycehendrixx.

Others complained of deeper issues: “@instagram someone hacked my account and changed my username and pword but is keeping all of my pictures up as if it is them,” tweeted Alyssa Rogalski. “You rejected my report and said they did not violate any of your guidelines, so youre saying it’s ok if someone hacking and impersonating me?”

For its part, Instagram – which is owned by Facebook – issued a boilerplate media statement: “We work hard to provide the Instagram community with a safe and secure experience. When we become aware of an account that has been compromised, we shut off access to the account and the people who’ve been affected are put through a remediation process so they can reset their password and take other necessary steps to secure their accounts.”

However, as mentioned, account recovery doesn’t seem to be on the table for most victims.

“My account has been hacked for 3 days now and no one has reached out,” tweeted one affected user, Liz Teal. “Email, phone number, username and profile picture changed- so you cannot go through the steps they have in place on their FAQ page. Unbelievable!”

Threatpost has reached out to Instagram directly and will update this post with any further details or responses.

“There’s not much to go on now, and Instagram has not stated how or why these attacks occurred,” said Bischoff. “While it is possible that hackers breached Instagram to take over these accounts, I think it is more likely that the victims’ login credentials were stolen by malware or compromised in a phishing attempt. The original report does not specify whether victims are Android or iOS users, which would have helped to pinpoint the cause.”

Perhaps most perplexing, one victim told Mashable that he had two-factor authentication (2FA) enabled – and was still hacked. There could be straightforward explanations for this, according to researchers.

“While it’s unclear how these hackers defeated Instagram’s 2FA, it likely has to do with the spate of SIM hacking that has seen several prominent websites being hacked,” said Bill Evans, vice president at One Identity, via email. “To thwart this scenario, websites need to build support for app-based 2FA…It’s far less susceptible to hacking than SMS-based hacking, which depends on a second factor code being sent via SMS to the user’s phone. As previously reported, it appears that Instagram is moving in this direction – which is great.”

Comparitech.com’s Munson added: “While 2FA is a very good secondary line of defense, it is not infallible. Typically, it can be circumvented via phishing – either tricking someone into revealing the 2FA identifier or, far more likely, my getting them to login to a fake version of the site they were intending to visit. To protect against such account hijacks on Instagram, people should definitely employ two-factor authentication, but they should also be careful to only access the site through the app (only downloaded from an official app store) or by typing the URL directly into their browser.”

Discussion

I’ve tried to help a friend to recover her account which was hacked this way over two years ago (yes the problem has been around for a while). There is no way to get the attention of Instagram to get any assistance. There are some who have posted about this and how they got a resolution from Instagram however Instagram has changed the help pages and process so the various blog posts have become irrelevant. It may be up to someone of importance to sue them to get their attention. Or maybe increased media attention will draw a result. Anything done by an individual is pointless it seems.

My account was hacked on 8/25/2018 and disabled by instagram on 8/26/2018. I was unable to login to my account so I had a friend check it out only to see that my Instagram bio had been completely cleared and my handle was changed to @kenisromina. When I sent a request to change the password, it was sent to a Russian email ending in .ru. I submitted multiple forms through the instagram app complaining about the hack but I only received hopeless emails from bots that my indetity couldn’t be verified — even though I was sending these ridiculous photos of myself holding a code they sent me. After reporting my account from a new Instagram, my original instagram @kenisromina was disabled by their support team. What’s even worse is that I can't even appeal this disablement because I lost all of my login information when my account was hacked and the app literally doesn’t allow me to appeal it without the login information. Such a terrible flaw in their system.

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.